2 Abstract The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess the security posture of the web application, networks and all other IT assets. Client Profile The Client, a UK based bank offering services to meet the needs of customers managing and moving money online. The client had planned to launch an online banking provision to make it is easy to move money to and from merchants and other customers, within a secure online environment. Background The Client is a UK based independent bank authorized and regulated by Financial Services Authority. Client had planned to offer its customers a reliable online payment and banking service. To ensure the security of the online banking portal, it was imperative for the client to make sure that the application was not easily susceptible to misuse and fraud, thus leading to loss of reputation, loss of customer trust and financial loss. Client wanted an assurance that the web application was secure, has appropriate security controls built in, before the roll out. ECD consultants performed the web application penetration testing, to identify and minimize the risk of a security breach. Business Need The client was initially approached by the company to take care of their Web Applications, Computer Networks and Other IT Assets, protect them from security threats and provide a trusted environment for conducting secure transactions through web. Since the client is Bank and deals with financial transactions, the first main concern around security & quality. Provide Data protection and customer privacy Prevent targeted fraudulent and illegal activities Protect Brand image. Proprietary & Confidential Information 2

3 For Security testing, the client s main concern was to identify vulnerabilities clearly and accurately, with a minimum of false positives and protect their web applications. Challenges The Main challenges faced were: Change in the proposed testing tools because of limitations with the developed application and tool compatibility so that the business application would not be affected in real time. Close communication with client required as the product was being tested rapidly in accordance with the end user requirements Manual testing for various high potential vulnerabilities to make sure that the Application is secure. Team management in very effective way to lead the way through to client s expectations up to the mark To add more value to the result findings, a team of experienced project managers went through the report and reviewed it for strategic analysis. The report was then presented according to the specified client template. Also areas of concern were to check the robustness, speed, fault tolerance, security, cost criteria and extensibility. As agreed in Statement of Work with client, following things done during testing: Security Testing: Information Gathering and Error Enumeration Web-Server Tests Port/Service/Version Mapping tests Protocol Based Tests Web Application Tests OS Based Tests PHP/ASP Based Tests Apache/ IIS Advance Test Vectors Authentication Tests Proprietary & Confidential Information 3

4 Flash Test DoS Attact Tests Tests on Network Devices and other IT Assets Exploitation of Found Vulnerabilities Social Engineering (Optional) Penetration Testing: Penetration testing attempts to verify that protection mechanisms built into a system will, in fact, protect it from internal and external. Security Testing Approach: o Identifies the resources needed to conduct the Security test o Explains the security test execution process o Presents the Security test schedule A proper communication channel was established between the client and its Development team to ensure that no gaps are left during the final testing. Weekly summary calls were made to ensure that ECD team is in line with the development team and Client s expectations. The test automation Security testing was achieved using automated web application vulnerability assessment & Penetration Testing tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact, Metasploit Pro, Qualys Guard etc., After the completion of automated testing, manual testing has been carried out by our security consultants. Application access was given by client on ECD s local test environment. A certified team of Security Consultants were deployed to identify the application vulnerabilities that could be exploited by the hacker. To arrive at the security posture the security consultants adopted the following approach: Security consultants after thoroughly understanding the customer s security requirements and concerns customized the penetration testing methodology to achieve the scope of work outlined for the project. Analysis of the banking applications was performed to arrive at the attack scenarios Proprietary & Confidential Information 4

5 Tests were executed using a combination of open source and commercial tools to ensure optimum results Web Application was scanned using tools like Acunetix, Appscan, WebInspect, Burp Suite, Nessus, Core Impact and Qualys Guard to identify potential vulnerabilities. The scan results were reviewed to identify false positives. Computer network was scanned using the tools like GFI LanGuard, Nessus and Qualys to identify potential vulnerabilities. Proof of Concepts was conducted to confirm the existence of the security issues Security consultants presented the final report to the client highlighting the areas of concern the vulnerabilities detected and suggested remediation Security Testing Benefits: Increase Customer confidence Limited threats of legal liabilities Compliance with industry best security practices. Conclusion: ECD has successfully completed the penetration tests for the web application and subsequent releases as per client requirement in a short span of time. Our clients regularly seek our support for testing their Web Applications, Mobile Applications, Servers, Computer Assets and Networks. We keep our client assets safe and reliable. Proprietary & Confidential Information 5

2011 Performance Testing & Security Testing for Web Applications. ASE STUDY The client is a leading FMCG brand, they wanted to protect their web application from security threats and provide a trusted.

1 Security Testing & Load Testing for Online Document Management system Abstract The client is a leading provider of online technical documentation solutions in UK, they wanted to protect their documents

Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in

1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration

Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for an automated penetration testing product and demonstrate

External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management

Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to

The Computerworld Honors Program Summary developed the first comprehensive penetration testing product for accurately identifying and exploiting specific network vulnerabilities. Until recently, organizations

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

Client Overview Our client is the leading provider of health insurance related solutions for providing online and easy access to health insurance. Our client offers these services to a range of consumers

Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent

Continuous Penetration Testing SyCom Technologies 1.0 Continuous Penetration Testing Imagine a service that continuously monitors and reports on any new threats that emerge real time and provides a tactical

Five reasons SecureData should manage your web application security Introduction: The business critical web From online sales to customer self-service portals, web applications are now crucial to doing

Are You Ready for PCI 3.1? Are You Ready for PCI 3.1? If your hotel is not PCI compliant, it should be. Every time a customer hands over their credit card, they trust your hotel to keep their information

Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security

HOW SECURE IS YOUR ORGANIZATION FROM CYBER CRIME? Presented by PPN PRESENTATION OBJECTIVES To create or increase awareness of some areas of risk exposures as they pertain to information and network security.

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus Note to Faculty This NCL Syllabus is intended as a supplement to courses that are based on the EC- Council Certified Ethical Hacker TM (CEHv8)

Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting

What s happening in the area of E-security for the Financial Transactions in China Dr. Wang Jun Head of E-banking Division, Bank of China Sep. 26, 2002 A Tremendous Potential E-financing Market is is coming

Protecting your business interests through intelligent IT security services, consultancy and training The openness and connectivity of the digital economy today provides huge opportunities but also creates

White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking

End of Support Should Not End Your Business When software vendors announce a product end-of-life (EOL), customers typically have 24 to 30 months to plan and execute their migration strategies. This period

Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency